Can't seem to get concurrent session handling to work properly. Granted that IE8 shares the same session ID between all browser windows, tabs, etc., One would "assume" that if the File -> New Session button of IE8 were used to create a new session, the concurrent session handling filter would notice the two active sessions for the same user and return the expired-url page.
Other than implementing the <session-management> element:
and adding the HttpSessionEventPublisher to the web.xml:
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login.jsp?expired=true" />
What could cause ConcurrentSessionHandling to fail?